An investigation has found that hundreds of bounty hunters had access to the highly sensitive data—and one requested phone locations over 18,000 times.

The news: Motherboard has uncovered documents that reveal the shocking extent to which location data from Americans’ phones is being used without their knowledge. Its investigation has revealed that AT&T, T-Mobile, and Sprint sold location data to an aggregator. It then sold some of the information to a now-defunct company called CerCareOne, which operated from around 2012 to 2017, and sold location data to some 250 bounty hunters—those who claim a reward to help track people who have skipped bail.

The data: CerCareOne was keen to keep a low profile, using contracts that even forbid customers from revealing it had a website. It offered various kinds of information, including super-accurate “assisted-GPS,” or A-GPS, location data. This uses both GPS receivers on wireless base stations and phones’ in-built GPS chips to pinpoint a device’s location to within a few meters, even inside a building.

The controversy: A-GPS was developed to allow first responders to track the location of emergency calls, but telecom firms have been selling this and other highly sensitive location data without informing customers. In January, Motherboard revealed that a bounty hunter had sold one of its reporters location data about the reporter’s own phone for $300. Other black-market transactions may well have been taking place for years, letting people’s phones be tracked without their knowledge.

US telcos claimed the sale of the reporter’s data was an isolated incident. But the new investigation shows consumer location data was being distributed widely. Some bounty hunters reportedly made requests for large numbers of location “pings,” sometimes tracking phones minute by minute or hour by hour. One even used the service over 18,000 times in just over a year, according to records obtained by Motherboard. Some bail agreements permit the tracking of people’s phones if they disappear, but it’s not hard to see how location data could be leaked for unauthorized uses.

The backlash: In January, the telecom giants said they would stop selling location data to aggregators. But the US Federal Communications Commission (FCC) is still investigating the companies’ handling of sensitive location information. In a tweet responding to Motherboard’s latest story, Jessica Rosenworcel, an FCC commissioner, called on the agency’s staff to speed up its review. “There’s something fundamentally wrong,” she wrote, “when hundreds of bounty hunters can pay a few hundred dollars and know where any of us are with our mobile devices.”

Martin GilesI am the San Francisco bureau chief of MIT Technology Review, where I cover the future of computing and the companies in Silicon Valley that are shaping it. Before joining the publication, I led research and publishing at a venture capital firm focused on business technology. Prior to that, I worked for The Economist for many years as a reporter and editor, most recently as the paper’s West Coast-based tech writer.

Martin GilesI am the San Francisco bureau chief of MIT Technology Review, where I cover the future of computing and the companies in Silicon Valley that are shaping it. Before joining the publication, I led research and publishing at a venture capital firm focused on business technology. Prior to that, I worked for The Economist for many years as a reporter and editor, most recently as the paper’s West Coast-based tech writer.

ImageGetty Images

Sign up for The Download — your daily dose of what's up in emerging technology